bepsvpt/secure-headers

Laravel duplicates X-Content-Type-Options header

johnboc opened this issue · 6 comments

I am using secure-headers in a Laravel project and get an A when scanning the site using securityheaders.io. I do get the followign two warnings:

X-Frame-Options There was a duplicate X-Frame-Options header.
X-Content-Type-Options There was a duplicate X-Content-Type-Options header.

Laravel is adding the duplicates from Illuminate\Http\Middleware\FrameGuard.php. Is there a way to prevent this occurring?
Thanks

Did you add Illuminate\Http\Middleware\FrameGuard.php to your app/Http/Kernel.php?

I couldn't find anywhere that laravel adds this middleware to middlewares.

No. I've searched all php files in the Laravel project for 'X-Frame-Options' with these results:
\config\secure-headers.php

\vendor\bepsvpt\secure-headers\config\secure-headers.php

\vendor\bepsvpt\secure-headers\src\SecureHeaders.php
'X-Frame-Options' => $this->config['x-frame-options'],
'X-Frame-Options' => $this->config['x-frame-options'],

\vendor\bepsvpt\secure-headers\tests\MiddlewareTest.php
$this->assertArrayHasKey('x-frame-options', $headers);

\vendor\bepsvpt\secure-headers\tests\SecureHeadersTest.php
$this->assertArrayHasKey('X-Frame-Options', $headers);

\vendor\laravel\framework\src\Illuminate\Http\Middleware\FrameGuard.php
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);

FrameGuard is referenced in the following files only:
\vendor\composer\autoload_classmap.php
'Illuminate\Http\Middleware\FrameGuard' => $vendorDir . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',
'Illuminate\Http\Middleware\FrameGuard' => $vendorDir . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',

\vendor\composer\autoload_static.php
'Illuminate\Http\Middleware\FrameGuard' => DIR . '/..' . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',
'Illuminate\Http\Middleware\FrameGuard' => DIR . '/..' . '/laravel/framework/src/Illuminate/Http/Middleware/FrameGuard.php',

\vendor\laravel\framework\src\Illuminate\Http\Middleware\FrameGuard.php
class FrameGuard

The headers generated by Laravel are listed after those by secure-headers in the securityheaders.io report

Did you set these two headers in web server config file, like nginx or apache?

Why didn't I think of that!!!! A colleague set up the nginx server so a left hand right hand problem.
Thank you

FYI, if you want to disable these two headers, just set to null or empty string.

If you have any further question, feel free to open a new issue or reply in this issue. 😄